Joint Commission Releases Guidance on Preserving Patient Safety After Cyberattack

September 01, 2023 - The Joint Commission, a healthcare accreditation organization, issued guidance on preserving patient safety after a cyberattack in its latest Sentinel Event Alert. The Joint Commission regularly publishes Sentinel Event Alerts for its accredited organizations, diving into specific adverse events in healthcare and providing recommendations to mitigate risk.

In this issue, the Joint Commission stressed the importance of having plans and processes in place to ensure that patient care can be delivered without interruption in the wake of a cyber event. The group emphasized the value of collaboration between all hospital staff, addressing vulnerabilities, and removing devices with obsolete operating systems.

“For most hospitals, experiencing a cyberattack that adversely affects operations is not an ‘if’ but a ‘when’ question. Hackers are very adept at finding new ways to intrude; therefore, it’s difficult if not impossible for hospitals to rely solely on preventing attacks with cybersecurity,” the Joint Commission stated.

To combat these risks, the Joint Commission recommended leveraging the result of its hazards vulnerability analysis (HVA), which is required under the Joint Commission Emergency Management (EM) Standard EM.11.01.01, to evaluate services that must be available during downtime.

“Organizations should be prepared to have life- and safety-critical technology offline for four weeks or longer,” the guidance added.

“These services include pharmacy (particularly medication order entry systems and medication reconciliation services); medical records; and laboratory, radiology and pathology, as well as other services required by a high volume of patients or patients of high acuity (for example, blood bank, critical care units, intensive care units, infant security, nutrition services, and oncology and transplant).”

In addition, the Joint Commission recommended forming a downtime planning committee, consisting of members from all areas of the hospital, including IT experts, hospital leadership, medical staff, and scheduling professionals.

The committee would be responsible for reviewing and updating the IT risk assessment plan, advising leadership, and recommending training to address patient safety concerns, among other duties.

The Joint Commission encouraged healthcare organizations to regularly update downtime procedures, designate response teams, and train staff on how to operate during downtime by administering drills and exercises.

“The bottom line is you have to drill it often, so people are familiar with it. Whether it be a redundant system or a paper manual system, you have to practice it often,” said Jim Kendig, the Joint Commission’s field director, surveyor management and support, Division of Accreditation and Certification Operations, in the guidance document.

“Practice makes perfect, and perfect practice makes perfect. It’s important to orient staff on what happens when electronic systems are unavailable.”

Effective communication with patients and their families amid a cyberattack is also crucial, the guidance noted. The guidance recommended crafting a scripted template to use for cyber events to ensure that communications get relayed quickly and effectively.

“Avoid delaying decisive action when a cyberattack occurs. Communicate which systems are impacted, as well as which ones are not,” the Joint Commission advised.

“Be clear about both clinical and nonclinical ramifications and about when downtime procedures begin. Communicate what is being done to address the situation and provide frequent status updates. Communicate also with key clinical affiliates and off-site staff and providers, as well as with patients and families as necessary to assure that patient care is safe.”

As cyberattacks continue to impact the healthcare sector and cause lengthy delays and periods of downtime, it is critical that healthcare organizations take proactive steps to reduce risk and keep patients safe.